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Abstract. The problem of constructing elliptic curves suitable for pair- 
ing applications has received a lot of attention. To solve this, we propose 
a variant algorithm of a known method by Brezing and Weng. We pro- 
duce new families of parameters using our algorithm for pairing-friendly 
elliptic curves of embedding degree 8, and we actually compute some 
explicit curves as numerical examples. 



1 Introduction 



Researches on pairing-based cryptographic schemes have received interest over 

the past few years. Recently many new and novel protocols have been proposed as 

in [13, 4, 5, 10]. A randomly chosen elliptic curve, however, rarely has a subgroup 

Qs , of large prime order, therefore construction of "pairing- friendly" elliptic curves 

is one of the important problems for cryptography [2] . 

Let E be an elliptic curve defined over a finite field Wq , and r be the largest 
prime dividing ^E{Wq) — q + 1 — t, the order of the group of JF^-rational 
C^^ . points of E with the Frobenius trace t. We define the embedding degree by the 

^^ ' smallest positive integer k such that r divides q'^ — 1. The parameters required to 

determine pairing-friendly elliptic curves are t, r, g, k and the CM discriminant 
D for the CM method introduced in [1] to construct elliptic curves. 

In this paper, we study the problem of computing suitable parameters t, r, q 
cd ' from given parameters fc, D. We employ the method proposed in [7, 6] which 

generates a family of pairing-friendly curves by considering i, r, q as polynomial 
t{x), r{x),q{x) of a new parameter x. We restrict the embedding degree to fc = 8 
and the CM discriminant to D = 1. The key point is how to choose a good r{x). 
Instead of taking r(x) to be the ^th cyclotomic polynomial ^i{x) with a multiple 
£ of /c, we modified the original method by starting from a finite subset of the 
k-ih cyclotomic field Q(Cfc) with a primitive kth root (k of unity so that r{x) 
can be systematically computable. As a result, we came up with new families of 
pairing-friendly curves which are given explicitly in Table 1 and Theorem 5 of 
Section 3. We also give, for the first time in this case so far as we know, explicit 
numerical results as in Examples 1-3. 



This paper is organized as follows. Section 2 gives a brief mathematical defi- 
nition of curves suitable for pairing-based cryptography and the method of con- 
struction we used to generate our curves. In Section 3 we give our algorithm to 
construct curves. Section 4 gives numerical examples of curves that we generate 
using our parameters. Finally, we will discuss the conclusions that we will draw 
from our approach in Section 5. 

2 Our framework of pairing-friendly curves 

A survey on the construction of pairing-friendly elliptic curves is given by Free- 
man et al. [7]. We introduce several essential definitions from that paper to 
explain our algorithm. We will use the same notation there without notice. Let 
Ig mean the base 2 logarithm in the following. 

2.1 Families of curves for pairing 

At first, we give the definition of pairing- friendly elliptic curves used in cryptog- 
raphy. 

Definition 1 ([7, Definition 2.3]). Suppose E is an elliptic curve defined over 
Wq. We say that E is pairing-friendly if E satisfies the following conditions: 

(1) there is a prime r > ^/q such that r | ^E{Wq). 

(2) the embedding degree of E with respect to r is less than (lgr)/8. 

For cryptographic applications of pairings, basically we desire enough security 
depending on the elliptic curve discrete logarithm problem (ECDLP). In fact, 
by this definition, suitable sizes of r, q'^ seem to avoid any known attack for the 
ECDLP today [7]. 

Next, we explain how to construct pairing-friendly curves. The parameter q 
has to be a prime power. If a family of pairing-friendly curves represented by 
t{x), r{x) and q{x) is given, we anticipate that q{x) is a prime power for infinitely 
many x. Freeman et al. gave a definition with a familiar conjecture as follows [7, 
Section 2]. 

Definition 2. Let f{x) be a polynomial with rational coefficients. We say / 
represents primes if the following conditions are satisfied. 

(1) f{x) is non-constant and irreducible. 

(2) f{x) has positive leading coefficient. 

(3) fix) e Z for some x e Z. 

(4) gcd({/(x)|x,/(x)e^}) = l. 

We use this definition to define families of pairing-friendly curves. 

Definition 3 ([7, Definition 2.6]). For a given positive integer k and positive 
square-free integer D, the triple (t, r, q) represents a family of elliptic curves with 
embedding degree k and discriminant D if the following conditions are satisfied: 



(1) q{x) — p{x)'^ {d > 1) and p{x) that represents primes. 

(2) r(x) = c • f{x) (c G ^>i) and f{x) that represents primes. 

(3) r{x)\q{x) + l-t{x).~ 

(4) r(x) I <Pk{t{x) — 1), where (!>k is the fcth cyclotomic polynomial. 

(5) The CM equation 4<7(x) — i(a;)^ == Dy^ (D e ^>o) has infinitely many 
integer solutions {x,y). 

For a family (t(x), r(x), g(x)), if the CM equation in (5) has a suitable set of 
integer solutions (xo,yo) with both of p(xo) and f(xo) are primes, then we are 
able to construct curves E over ^q(xo) where i?(Fg(2,^)) has a subgroup of order 
r(xo) and embedding degree k with respect to f(xo) by using the CM method 
in [1]. 

We therefore define a parameter p that represent how close to the ideal curve 
that is ^EiWq) is prime as follows. 

Definition 4 ([7, Definition 2.7]). 

(1) Let E/Wq be an elliptic curve, and suppose E has a subgroup of order r. 
The p-value of E (with respect to r) is 

logr 

(2) Let i(x), r(x), q{x) E Q[x], and suppose {t, r, q) represents a family of elliptic 
curves with embedding degree k. The p-value of the family represented by 
{t,r,q) is 

logq(x) _ dcgq(x) 



p{t, r, q) = lim 



logr(x) degr(x) 



By Definition 1, a pairing-friendly curve E has p{E) < 2. The smaller the p- 
value, the faster the computation of points on elliptic curve (See [7, Section 
1.1]). On the other hand, the Hasse bound implies that p{t,r,q) is always at 
least 1. Finding parameters efficiently with the same bit size of r and q, hence 
p{E) is close to 1, is one of the important problems for cryptography. 

2.2 Original method 

In this section, we briefly explain the construction of curves satisfying the con- 
dition of Definition 3 proposed by Brezing and Weng [6] [7, Section 6.1]. 

Theorem 1. Fix a positive integer k and a positive square-free integer D. Ex- 
ecute the following steps: 

Step 1. Choose a number field K containing a primitive kth root of unity (.k cind 

Step 2. Find an irreducible polynomial r(x) € Z[x] such that (Q[x]/(r(x)) = K . 
Step 3. Let t(x) e Q[x] be a polynomial mapping to (k + ^ ^ K ■ 



Step 4. Let y(x) E Q[a;] be a polynomial mapping to {(^k — l)/\/^-C G K. (So, 
if we discover a polynom,ial s{x) G Q[a;] mapping to \J~-D G K , then 
y[x) = (2 - t[x))s[x)lD (mod r{x)).) 

Step 5. Lef g(a;) = (t[xf + i:)y(2:)^)/4. 

// hoih of r{x) and q{x) represent primes, then the triple {t, r, q) represents a 
family of curves with embedding degree k and CM discriminant D. 

The /9-value for this family is 

2max{degi(x),degy(x)} 

P(t, r, q) = < 2. 

degr(xj 

For more details, refer to [7, Section 6.1]. To find a family of pairing-friendly 
elliptic curves efficiently, we have to choose a good r{x) satisfying (^k^ ^—D G K. 
The idea by Brezing, Weng and also Freeman et al. is as follows. Choose an 
integer multiple ^ of fc so that \/-D e K ^ ^{Ce)- Then let r{x) = <l'e{x). They 
further give some sporadic families [7, Section 6.2]. Our idea given explicitly 
below is to construct such sporadic curves systematically. 

3 Proposed algorithm 

3.1 Factorization of cyclotomic polynomial 

When we use the original method to construct families, the problem is how to 
choose polynomials at Step 2 and 3 in Theorem 1. If <?fc(w(a;)) has a factorization 
over Q for some u{x) G (Q[a;], we let r(x) be one of the irreducible factors. Set 
K = <^[x]/{r{x)) and we will get u{x) i— > Cfc. But these factorizations are rare, 
so this technique to construct families is called "Sporadic" families by Freeman 
[7, §6.2]. 

One of the technique to find such u{x) was discussed in Galbraith, Mckee 
and Valenga by proving an important lemma below [8, Lemma 1]. Baretto and 
Naehrig [3] found a family of embedding degree 12 and u{x) is a quadratic 
polynomial with p{t, r,q) = l using this lemma. It was restricted to quadratic 
polynomials u{x). In fact, it is effective for general case as is easily seem from 
the proof there: 

Lemma 1. Let u(x) G (Q[a;] and (p be Euler function. Then, the polynomial 
(!>k{u{x)) has an irreducible factor of degree ip{k) if and only if the equation 

U{x) = Cfc (1) 

has a solution in Q(Cfc)- 

We rediscover families of elliptic curves by Freeman[7, Example 6.18] using 
Lemma 1 and we try to construct new families of curves. We propose an algo- 
rithm for the construction of a family of curves using Lemma 1 and Theorem 1. 
The algorithm is as follows. 



Algorithm 2. 

Input Positive integers D, k such that \J~-D E Q(Cfc) and a finite subset S C 

Q(a)- 

Output Families of elliptic curves with parameters t{x), r(x), q{x). 

Step 1. For each to & S, compute u{x) G (Q[a;] such that the equation (1) has a 
root X = uj. li u{x) does not exist for all to, then the algorithm fails. 

Step 2. For each u{x) at Step 1, compute all irreducible factors r{x) of the 
polynomial <Pki'U'{x)). 

Step 3. For each pair of u(a:;), r(x) at Step 2, compute all polynomials t{x) G Q[a:] 
such that degt{x) < degr(a;) and t{x) = u{x)"^ + 1 (mod r{x)) for all 
m with I < m < k, gcd{m, k) — I. 

Step 4. For each pair of r{x), t{x) at Step 3, execute Step 4 and Step 5 of The- 
orem 1 to compute q{x). 

Step 5. For each triple r(x), t{x), q{x) at Step 4, check whether q{x), r{x) repre- 
sent primes. liq{x),r{x) represent primes, output a family t(x),r(x), q{x). 

3.2 Algorithm refinement with method of indeterminate coefficients 

Let degu(a;) = 3 as the case degu(x) < 2 is studied in [8]. Set the embedding 
degree to A; = 8. In Step 1 of Algorithm 2, we employ the method of indeterminate 
coefficients to compute u{x). This technique is also applicable for general k. 

Write any rational cubic polynomial u(x) with coefficients uo,ui,U2,U3, as 
follows: 



u{x) — y^ UiX'' — u^x^ + U2x'^ + UlX + Uq [ui G Q, U3 7^ 0). (2) 

We represent a given value lo G Q(C8) as follows: 

3 

w = ^ a^Cs* = ao + aiCs + 02(3^ + oaCs^ (a* G Q). (3) 

To avoid operation in Q(C8)7 we replace ^g to x to get the following polynomial. 

3 

Lij{x) — y aiX^ — a^x -\- a2X + aix + ao- 

Next we look at polynomial u{lij{x)). The equation (1) is equivalent to u{lo{x)) = 
x (mod (Ps{x))- We take 

v{x) = u{lu(x)) (mod <?g(x)) 

be the simplified polynomial of degree not exceeding three with coefficients ex- 
pressed in terms of Ui,ai. The equation (1) is transformed to the polynomial 
equation 

v{x) — X. (4) 



We can easily show that the coefficients of the left hand side of the equation are 
all represented as linear combinations of Ui . More precisely, it is reduced to solve 
the following system of linear equations to obtain uo, ui, U2, us- 



Ul 



1 





(5) 



where 



A^ 
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Vo 



ao 
ai 

as 



ao 



ai 



- 02 
2aoai 

2aia2 



2aia3 
20203 
2ao02 
200O3 



00 
03 



01 
02^ 



802(0002 
3oi(oi03 
02^ + 3oo(aoa2 + oi^ 
^ - 303(0103 + 02^ 



Ol 



03^) 
oo^) 
03^) 
oo^) 



6000103 ^ 
60002O3 
6010203 
600O1O2 J 



Let d and n^ be as follows: 



d 
no 
ni 

"2 
"3 



(oi^ + 032)((ai -03 



2022)((0i+03)2-2022), 

02(501^03 - 5ai^02^ + 60102^03^ - 2o2''o3 + 3o3^) 



Ol — 
01^02 
03^ - 01^03 



401^032 + 901^02^03 + 01(202"* + 303^^) 
+ 8010203^ - 202^03, 

2ai02^. 



802^03 ' 



(6) 



If d is nonzero, then we can solve the system (5). The solution is 

wq = - (^300^ + ^200^ + nioo - no) /d 
m — (3^300^ + 2n20o + ni) /d 
U2 = - (877,300 + n2) /d 
U3 = -ns/d 



(7) 



We now have a concrete solution for k — 8 with degM(x) = 8. Although this 
method of indeterminate coefficients can be used for any embedding degree k, 
it is not sure wheter the obtained solution is as simple as the ones we discussed. 
We present the following theorem as a resut of the solutions we computed. 

Theorem 3. For lo e Q(C8) given by (3), let d,ni be as in (6). Then, if and 
only if both d and n^ are nonzero, the equation (1) has a solution x ~ lo for a 
cubic polynomial u{x) S Q[a;], which is uniquely determined by (7) and (2). For 
this u{x), at least one irreducible quartic polynomial is a factor of ^8{u{x)). 

For a cubic polynomial u{x) given by Theorem 3, we take an irreducible quartic 
factor r{x) from the factorization of <!>s{u{x)). If we let t{x) = u(a;)^""'"* + 1 
(mod r{x)) {0 < n < 3), then Step 3 of Algorithm 2 are finished. We continue 
the computation under the assumption that k = 8 and \J—D G Q(Cfe)- We can 
choose the CM discriminant D — \. Then we take s{x) = {t{x) — 1)^ h^ \/— 1 
and execute Steps 4, 5 in Algorithm 2 to get a family of curves. 

We now state the refinement of Algorithm 2 with restricted to our special 
case: 



Algorithm 4. Let fc := 8, 1? = 1, dcgu(x) = 3. 

Input A finite subset 5 C Q(C8)- 

Output Families of elliptic curves with parameters t{x), r(x), q{x). 



Step 1. 

Step 2. 
Step 3. 

Step 4. 



Step 5. 
Step 6. 
Step 7. 



For each cu G S, compute d,ni by the equation (6), and let S' = {lu G 

S \ d y^ 0,123 y^ 0}. If S' is an empty set, then the algorithm fails. 

For each uj E S', compute u{x) by the equations (7) and (2). 

For each u{x) of Step 2, compute all irreducible factors r{x) of the 

polynomial <Ps{u{x)). 

For each pair u{x),r(x) of Step 3, compute all polynomials t{x) G Q[a:] 

such that degi(a:;) < degr(a;) and t{x) = m(x)™ + 1 (mod r(x)) for all 



TO = 1, 3, 5, 7. 



Compute j/(a;) = (2— t(x))(t(a;) — l)^ (mod r(a;)) (degj/(a;) < degr(a;)). 
Let q{x) = (t(x)2 + y{xf)/4. 

For each triple r(x), t{x), q{x) at Step 6, check whether q{x), r{x) repre- 
sent primes. liq{x),r{x) represent primes, output a family i(x),r(x), q{x). 



3.3 Examples 



Table 1. Sporadic families generate from cubic u{x) with embedding degree 8 



lc(w) 


u{x) 


t{x) 


degr{x) 


deg<7(a;) 


p{t,r,q) 


2 


2x^ + 4x'' + 6x + 3 


u(x)^ + 1 


4 


6 


3/2 


9 


9x-^ + 3x^ + 2i- + 1 


u{xf + 1 


4 


6 


3/2 


17 


17a;^ + 32a;^ + 24a; + 6 


u(xy + 1 


4 


6 


3/2 


18 


18a;'' + 39a-'' + 31x + 7 


u(a-)'' + 1 


4 


6 


3/2 


64 


64a;^ + 112a;^ + 75a; + 18 


u(a;f + 1 


8 


14 


7/4 


68 


68a;^ + 110a;^+65a; + 15 


u(xy + 1 


4 


6 


3/2 


82 


82X-' + 108x^ + 54x + 9 


u(x)^ + 1 


4 


6 


3/2 


144 


144x-' + 480a;^ + 539a- + 202 


M(a-)" + 1 


8 


14 


7/4 


144 


144a;'' + 96a;^ + 29a.- + 2 


u{xy' + 1 


8 


14 


7/4 


216 


216a;^ + 372a;^ + 263a; + 69 


— 


— 


(t) 


— 


225 


225a;-' + 2a; 


— 


— 


(t) 


— 


257 


257a;-' + 256a;^ + 96a; + 12 


M(a;)-' + l 


4 


6 


3/2 


388 


388a;^ + 798a;^ + 561a- + 134 


u{xf + 1 


4 


6 


3/2 


392 


392a;^ + 980a;" + 821a- + 231 


uix)" + 1 


8 


14 


7/4 


450 


450x-' + 11a; 


— 


— 


(t) 


— 


626 


626X-' + 500x^ + 150x + 15 


u(x)^ + 1 


4 


6 


3/2 


738 


738x^ + 1488x^ + 1006x + 229 


u(xf + 1 


4 


6 


3/2 


800 


800a;-' + 9a,- 


uixy + 1 


8 


14 


7/4 


873 


873a;^ + 969a;" + 379a; + 53 


u{x)' + 1 


4 


6 


3/2 



In Table 1 Wc give a result of computations of the polynomial u{x) by 
MAGMA [11] using Algorithm 4. The heading Ic (u) denotes the leading coefE- 
cient oiu{x). We choose the input S* = {a; e (^(Cs) | w = X]i=o '^i^;', o^ € 7Z, < 
ai < 300}. In the actual computation to make polynomial coefficients small, we 
further transform u{x) obtained by Step 2 of Algorithm 4 to u{ax + fe) G Z[x] 
with suitable a,b G Q, a 7^ 0. After computation by MAGMA, we tried to con- 
struct families for Iglc(M) < 10. We explain the symbols in Table 1. For the 
column degq{x), the symbol (f) denotes that q{x) does not represent primes for 
all pair t{x), r{x). For rows, the bold notation means that there exists a family 
of curves such that both q{x) and r{x) are primes for many integers x. 

We discovered many pairing-friendly families of curves with p — 3/2 and also 
rediscovered a family which has Ic (u) = 9 by Freeman et al. [7, Example 6.18]. 
It is interesting to note that for Ic (u) — 2, 82, 626, 738, both q{x) and r{x) are 
primes for (infinitely) many integers x. We describe the case where Ic (u) ~ 82 
in detail as follows. 

Theorem 5. The polynomials t{x), r{x), q{x) G Z[x] given as follows represent 
a family of elliptic curves with embedding degree k ~ 8 and the CM discriminant 
D = 1. This family indeed generates pairing-friendly elliptic curves. 

t(x) ^ -82a;3 - 108a;2 - 54a; - 8 
rlx) ^ 82a;'' + 108a;3 + 54a;2 + 12a; + 1 
q{x) = 379906a;6 -f- 799008a;5 + 705346a;4 

+333614a;3 + 88945a;2 + 12636a; + 745 

Proof. The former half is already proved by Algorithm 4, so we only need to 
prove the latter half. We may verify both q{xo) and r{xo) are primes with some 
integer xq- We take xq = 104, then we get q{xo) = 490506332802458249 and 
r{xo) = 9714910817. Both of these are primes, so we can generate pairing- 
friendly curves by them. D 

From a family of curves, we can actually construct pairing-friendly curves. Find 
an integer x such that q(x) is a prime and check whether r(x) is a prime. To find 
such an integer x, we can reduce the number of the candidate by the Chinese 
remainder theorem. 

Lemma 2. If an integer q{x) in Theorem Sis a prime, thenx = 14,24 (mod 30). 
Proof. We can easily check that all q{x) is even if x is odd. We see that 

g(a;) = a;*^ + 3a;^ + a;'' + 4a;-'^ + a; (mod 5). 

So q(x) = (mod 5) if a; ^ 4 (mod 5). In the same way we see that 

q{x)=x^+x* + 2x^+x^ + l (mod 3). 

So q(x) = (mod 5) if a; ^ 1 (mod 3). Then by the Chinese remainder theo- 
rem, q(x) has no prime factor 2, 3 and 5 only if a; = 14, 24 (mod 30). D 



4 Examples of pairing-friendly curves 



By Theorem 5, we can generate pairing-friendly curves using [12, Theorems 3,4]. 
The eUiptic curve E/Wq with the CM discriminant D = 1 is represented as 

E ■.Y'^ = X^ + aX (mod q) {a ^ 0) 

where a is parameter. Since t is always divided by 4 from the form of t{x) in 
Theorem 5, we can easily compute a by the method described in [12]. Using this, 
we give some numerical examples. 

Example 1. For x = 24000000000010394 (Igx w 54.4), we get 

q = 726011672004446604951703464791789328991217313776602768811 

50532069758156754787842298703647640196322590069, 
r = 272056320000471307161600306182614014808404525177076771934 

82845476817 (224-bit), 
t = -1133568000001472850432000637893917136092090964291460, 
4-E{Wq) = 726011672004446604951703464791789328991217313776602780147 

18532071231007186788480192620783732287286881530, 
a = 363005836002223302475851732395894664495608656888301384405 

75266034879078377393921149351823820098161295035. 

Then Igr w 224.0, Igg « 345.0 and p{E) w 1.54. 

Example 2. For x = 6130400000000029634 {\gx w 62.4), we get 

q = 20165501539097468598089799012338448337497685 

26807341931299469596014851929961512795928195 

2496431544631024161702159356789, 
r = 11581614432149089047832789189966585476390503 

3269185946585920376349372307631217 (256-bit), 
t = -1889210236224232197405821630084439441516429 

1734047019380020, 
#S(Fg) = 20165501539097468598089799012338448337497685 

26807341931299471485225088154193710201749825 

3340825959795315895749178736810, 
a = 10082750769548734299044899506169224168748842 

63403670965649734798007425964980756397964097 

62482157723155120808510796783952. 



Then Igr « 256.0, Igg w 393.0 and p{E) w 1.54. 



Example 3. For x = -72057594037930756 (Igx « 56.0), we get 

q = 5318077912637504134292767901251647400395578540 

3827730100050941212371435046023372666628598916 

049952969199369, 
r = 2210715626706698491377041180063927762099958931 

722603805474805907424817 (230-bit), 
t ^ 3067984237085391549834039420816298507616442947 

7994640, 
#E(JFq) = 5318077912637504134292767901251647400395578540 

3827730069371098841517519547682978458465613839 

885523491204730, 
a = 1772692637545834711430922633750549133465192846 

7942576700016980404123811682007790888876199638 

683317656399790. 

Then Igr « 230.4, Igq « 354.5 and p{E) w 1.54. For the Ate pairing [9], it is 
important that t has a low hamming weight for computation. Wc tried to find 
a curve with r between 224 bit and 256 bit, we found that r has a Hamming 
weight 72 and t has a Hamming weight 45 in this example. 

5 Conclusion 

We proposed a new algorithm for systematically constructing families of elliptic 
curves with given embedding degree and the CM discriminant. It was shown to be 
efficient by producing actual families of curves and explicit numerical examples 
for the case of embedding degree 8. The key point is employing the method 
of indeterminate coefficients to choose polynomials. Obviously our method of 
indeterminate coefficients are also applicable to the general case. 
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